站内搜索: 请输入搜索关键词

当前页面: 开发资料首页Netbeans 专题Securing Web Services Using the SAML or UserNameToken Profiles

Securing Web Services Using the SAML or UserNameToken Profiles

摘要: NetBeans Enterprise Pack 5.5 comes bundled with all the necessary runtimes to enable you to start developing secure, identity-enabled web services clients and providers. These runtimes include

NetBeans Enterprise Pack 5.5 comes bundled with all the necessary runtimes to enable you to start developing secure, identity-enabled web services clients and providers. These runtimes include:

This tutorial illustrates how you can enable SAML-based and UserNameToken-based authentication between a web service client and a web service provider using the bundled Access Manager along with the integrated support for the WS-Security standard in Application Server's web services client and server-side containers.

Prerequisites

This tutorial assumes that you have some basic knowledge of, or programming experience with, the Java language and platform and the NetBeans IDE.

System Requirements

These tutorials assume that your system meets the requirements specified in the System Requirements topic of the NetBeans Enterprise Pack 5.5 Release Notes.

Software Needed for the Tutorial

Before you begin, you must install the following software on your computer:

  • NetBeans IDE 5.5 with NetBeans Enterprise Pack 5.5 (download)
  • In order to complete the deployment steps in this tutorial, you must have Sun Java System Application Server Platform Edition 9 Update 1. This Application Server is bundled with the NetBeans Enterprise Pack 5.5 download.

Contents

top


Configuring the Tutorial Environment

  1. Start the IDE.
  2. To verify that the Sun Java System Application Server is configured in the IDE, click the Runtime tab and expand the Servers node.
  3. If the Servers node does not contain a Sun Java System Application Server 9 node, follow the steps in Adding an Application Server.
  4. In the Runtime window, expand the Servers node, right-click the Sun Java System Application Server 9 node and choose Start from the pop-up menu.
    Wait until the following message appears in the Output window:
    Application server startup complete.
    When the server is running, the IDE displays a green arrow badge on the Sun Java System Application Server 9 node.
    Note: If the Start option is not available, your server is already running.

top


Creating the Tutorial Projects

There are two tutorial projects: StockServer and StockClient.

To create the StockServer project:

  1. From the IDE's main menu, choose File > New Project.
  2. In the Categories list, expand the Samples node, then select the Identity Blueprints node.
  3. In the Projects list, select Stock Service.
  4. Click Next.
  5. Accept the default Project Name (StockServer) and optionally change the Project Location.
  6. Click Finish.

To create the StockClient project:

  1. From the IDE's main menu, choose File > New Project.
  2. In the Categories list, expand the Samples node, then select the Identity Blueprints node.
  3. In the Projects list, select Stock Client.
  4. Click Next.
  5. Accept the default values for Project Name (StockClient) and Project Location.
  6. Click Finish.
    The Projects window now contains a StockClient project node.

top


Securing Web Services: Using the SAML-HolderOfKey Security Mechanism

In this scenario, we are using the SAML-HolderOfKey security profile without the response being signed and using the default key store. To do this, we will first edit the token profile for the Access Manager and then configure the web service provider and client.

To edit the SAML-HolderOfKey profile:

  1. In the Runtime window, expand the Sun Java System Access Managers node, then expand the Default Instance and the Profiles nodes.
  2. Select the SAML-HolderOfKey node, right-click and choose Edit.
    The Edit SAML-HolderOfKey Profile dialog box opens.
  3. Clear the Sign Response checkbox.
  4. Under Existing Certificate Settings, leave the Use Default Key Store checkbox selected.
  5. Click OK.

To configure the web service provider:

  1. In the Projects window, expand the StockServer node and the Web Services node.
  2. Under the Web Services node, right-click the stockservice node and choose Edit Web Service Attributes from the pop-up menu.
    The Web Service Provider Security Configuration dialog box opens.
  3. Select the Enable Message Level Security checkbox.
  4. Under Security Mechanisms, from the Request drop-down list, select SAML-HolderOfKey.

  5. Click OK.

To configure the web service client:

  1. In the Projects window, expand the StockClient node and the Web Service References node.
  2. Under the Web Service References node, right-click the StockService node and choose Edit Web Service Attributes from the pop-up menu.
    The Web Service Client Security Configuration dialog box opens.
  3. Select the Enable Message Level Security checkbox.
  4. Under Security Mechanism, from the Request drop-down list, select SAML-HolderOfKey.
  5. Under Existing Certificate Settings, leave the Use Default Key Store checkbox selected.

  6. Click OK.

You can now proceed to deploying and running the sample by following the instructions in Deploying and Running the Project.

top


Securing Web Services: Using the UserNameToken Security Mechanism

In this scenario, we are using the UserNameToken security profile with signed response and using the default key store. To do this, we will first edit the token profile for the Access Manager and then configure the web service provider and client.

To edit the UserNameToken profile:

  1. In the Runtime window, expand the Sun Java System Access Managers node, then expand the Default Instance and the Profiles nodes.
  2. Select the UserNameToken node, right-click and choose Edit.
    The Edit UserNameToken Profile dialog box opens.
  3. Under Existing Certificate Settings, leave the Use Default Key Store checkbox selected.
  4. Under Username Token Profile Info, click the Add button to add a UserNameToken record for the web service client.
    The Add User dialog box opens.
  5. In the Username field, type sherry, in the Password field, type mypw, and click OK.

  6. Click OK to close the Edit UserNameToken Profile dialog box.

To configure the web service provider:

  1. In the Projects window, expand the StockServer node and the Web Services node.
  2. Under the Web Services node, right-click the stockservice node and choose Edit Web Service Attributes from the pop-up menu.
    The Web Service Provider Security Configuration dialog box opens.
  3. Select the Enable Message Level Security checkbox.
  4. Under Security Mechanisms, from the Request drop-down list, select UserNameToken.

  5. Click OK.

To configure the web service client:

  1. In the Projects window, expand the StockClient node and the Web Service References node.
  2. Under the Web Service References node, right-click the Stockservice node and choose Edit Web Service Attributes from the pop-up menu.
    The Web Service Client Security Configuration dialog box opens.
  3. Select the Enable Message Level Security checkbox.
  4. Under Security Mechanism, from the Request drop-down list, select UserNameToken.
  5. In the Username field, type sherry and in the Password field, type mypw.
  6. Select the Verify Response checkbox.
  7. Under Existing Certificate Settings, leave the Use Default Key Store checkbox selected.

  8. Click OK.

You can now proceed to deploying and running the sample by following the instructions in Deploying and Running the Project.

top


Deploying and Running the Project

  1. In the Projects window, right-click the StockServer project node and choose Deploy Project.
    The IDE does the following:
    • Starts the application server if it is not already started.
    • Builds the StockServer project. You can see the build results in the Output window.
    • Deploys server.war to the Application Server.
  2. In the Projects window, right-click the StockClient project node and choose Run Project.
    The IDE does the following:
    • Builds the StockClient project. You can see the build results in the Output window.
    • Deploys client.war to the Application Server.
    • Opens the application in the browser
    • Make sure the browser is opened in the following URL:
      http://localhost:8080/stockclient/

  3. Click Submit.

top

Exploring the Log Files

The instructions in this section are optional. They are meant for users who are interested in seeing the changes in the log files.

  1. Before you proceed to the next step, enable the finest logging level.
    Follow the instructions in Changing the Security Level on the Application Server.
  2. In the Projects window, right-click the StockClient project node and choose Run Project from the pop-up menu.
  3. Open the Application Server log file (server.log) in the following directory: application-server-installation-directory\domains\domain1\logs.
    If you accepted the default values during installation, this would be the C:\Sun\AppServer\domains\domain1\logs directory.
  4. Notice the changes in the log file.
    The log file is edited to show that the modules are is using the methods defined in the configuration panels.
    Samples of sections of the modified log file are available from the links below.

top

Additional Configuration Tasks

This section provides information about additional configuration tasks that you may want to perform.

Adding an Application Server

  1. In the Runtime window, right-click the Servers node and choose Add Server from the pop-up menu.
    The Add Server Instance dialog box opens.
  2. In the Choose Server page, from the Server drop-down list, select Sun Java System Application Server.
  3. (Optional) In the Name field, accept the default value or type the name you want to use to identify the server in the IDE.
  4. Click Next.
    The Platform Location Folder page opens.
  5. In the Platform Location field, use the Browse button to navigate to and select the Application Server installation location.
    If you accepted the default values during the installation, the location is C:\Sun\Appserver.
  6. Select the Register Local Default Domain radio button.
  7. Click Next.
  8. Supply the user name and password for the domain's administrator.
    If you accepted the default values during the installation, the user name is admin and the password is adminadmin.
  9. Click Finish.

top

Verifying the Configuration of the Access Manager Installation

  1. Start the application server.
  2. In the Runtime window, expand the Sun Java System Access Managers node.
  3. Right-click the Default Instance node and choose View Admin Console.
    A new browser session starts, pointing at the following URL: http://localhost:8080/amserver.
    The Sun Java System Access Manager Log In page opens, indicating that Access Manager server is running.

top

Configuration Information for Application Server not Installed on Port 8080

If the installation of the Sun Java System Application Server was done on a port other than 8080, you must perform the additional configuration steps shown below.

  1. In the Projects window, expand StockClient > Web Pages > WEB-INF and wsdl, and open the stock.wsdl file in the editor.
  2. Click the Source button to switch to the Source view of the file.
  3. Scroll to the bottom of the file and locate the following line:
    <soap:address location="http://localhost:8080/stockservice/stockservice" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"/>
  4. Replace the 8080 value with the port number where the Application Server is installed.
  5. Save your changes and close the file.

top

Changing the Security Level on the Application Server

  1. In the Runtime window, right-click the Sun Java System Application Server 9 node and choose View Admin Console.
  2. Type admin for the username and adminadmin for the password.
  3. In the left navigation frame, click the Application Server link.
  4. In the right frame, click the Logging tab and then click the Log Levels tab.

    Application Server admin console, Log Levels tab, click to enlarge

  5. Scroll to the bottom of the page and set the Security to FINEST.

    Application Server admin console, Security setting, click to enlarge

  6. Click the Save button and log out.

top


Troubleshooting

This section provides workaround information for issues that you may encounter.

Exception Thrown When Invoking the Client

When the client is invoked it throws the following exception on the browser: 

Caught an exception java.rmi.ServerException: JAXRPCSERVLET28: Missing port information

The possible cause for this exception:

  • The security mechanism chosen for the client is not in the list of supported mechanisms for the server. In this case, ensure that you select the same security mechanism for the client and the server.

References

top


Summary

In this tutorial, you used the NetBeans Enterprise Pack 5.5 to add SAML-based and UserNameToken-based authentication to an application. The tutorial shows the inherent ease of use provided by NetBeans since all you needed to do was use the Web Service Client and Provider Security Configuration wizards --- no detailed knowledge of SAML was needed!



top



↑返回目录
前一篇: Securing Web Services Using the Liberty Token Profile
后一篇: Subversion Support in NetBeans IDE